" The foundational components for Smart Card Services in OS X have been based on an architecture (CDSA) that has been deprecated in the released version of OS X Lion.

This indicates CDSA's use and support has stopped and will be removed completely in a future release of OS X.

Any solution for OS X still leveraging the deprecated CDSA can continue to function for now, but the CDSA infrastructure would no longer receive enhancements or bug fixes.

CDSA will no longer ship in future releases of OS X. "

This email is written by Shawn Geddis, Security Consulting Engineer. Shawn works at Apple.

Tokend from Apple

So in Mac OS X 10.7 Lion no tokend are provided any more. The directory /System/Library/Security/tokend/ is now empty in a Lion fresh installation.

Tokend from other sources

In the same email Shawn gives some options to replace the tokend no more provided by Apple:

Open Source Options (from "Apple")

The source code of the tokend provided by Apple (in Tiger, Leopard and Snow Leopard) were already available as Free Software from the Smart Card Services project. It is now the official source to get them.

Commercial tokend from third parties should still be available and usable on Lion.

Since installing a tokend from source code is not a trivial task "Apple" provides an installer. It is not really Apple that provides the installer but the Smart Card services project. So bugs should be reported to the project bug tracker.

Smart Card Services project

This project has been started by Shawn Geddis in January 2009. The members of the project are listed in this page.

I was invited to join the team to work on the pcsc-lite and CCID parts. These parts are still provided by Apple in Lion.

I am not an Apple employee so know no Apple secret plans. For example I do not know why Lion provides the CCID driver version 1.3.11 and not a more recent version (the latest is 1.4.4). See Mac OS X Lion and smart cards status for more information.

You can see from the project bug tracker that a lot of bugs are open and some are quiet old now (like this one requesting help about a tokend for Mac OS X 10.4 Tiger on a G4 processor). It is hard to get people working for free on a project. So if Apple does not invest some manpower into fixing bugs and answering bug reports the bugs will not be fixed.

After tokend

I guess Apple is working on something to replace tokend when CDSA will be removed. But I have no idea what it will be.

Conclusion

My interpretation is that Apple is doing with tokend what they also do with Java and Flash: they let other people/companies provide and maintain the software.

CC_crypto(3cc) LOCAL CC_crypto(3cc)
NAMECommonCrypto -- libSystem digest library
DESCRIPTION
The libSystem CommonCrypto library implements a wide range of
cryptographic algorithms used in various Internet standards. The services
provided by this library are used by the CDSA implementations of SSL,
TLS and S/MIME.
OVERVIEWlibSystem contains the Common Crypto collection of algorithms.
Digest and encryption algorithms contained in this library are optimized for
speed. The algorithms have been collected from various sources and chosen
for their performance characteristics. Since libSystem is linked into all
executables it is preferable for applications to use these functions rather
than implementing their own versions.
NOTES
To use the digest functions with existing code which uses the
corresponding openssl functions, #define the symbol
COMMON_DIGEST_FOR_OPENSSL in your client code (BEFORE including
<CommonCrypto/CommonDigest.h> ).
You can *NOT* mix and match functions operating on a given data type
from the two implementations; i.e., if you do a CC_MD5_Init()
on a CC_MD5_CTX object, do not assume that you can do an openssl-style
MD5_Update() on that same context.
The interfaces to the encryption and HMAC algorithms have a calling
interface that is different from that provided by OpenSSL.
SEEALSOCC_MD5(3cc), CC_SHA(3cc), CCHmac(3cc), CCCryptor(3cc)
BSD April 5, 2007 BSD

Notes

The man page is quiet old (April 2007) and references CDSA. CDSA has also been deprecated in Lion but we will talk about that later.

Common Crypto should also be available in Leopard (the man page exists for 10.5). So you can update you project to use Common Crypto for Lion and the same source code could be used on Snow Leopard (and maybe even Leopard)

Conclusion

OpenSSL should be removed in a later Mac OS X version.

For projects using OpenSSL on Mac OS X you have two options:

move from OpenSSL to Common Crypto

provide your own version of OpenSSL in the installer (or use a static link)

The version from the SmartCard Services macosforge project has mainly be contributed by myself.

The subversion revision 123 is not the latest one. It is dated 03/27/2010 03:50:42 (17 months ago). But no bugs has been fixed since this version (on macosforge). The current SVN version (on macosforge) is 139.

Bugs fixed

I extracted the major changes from the subversion history. The release number points to the change in the repository (if you need more details).

[r28] /trunk/SmartCardServices/src/PCSC/atrhandler.c: resynch with pcsc-lite. Closes bug rdar://problem/6920676 Smart cards defining support of T=0 and T=15 (but not T=1) in their ATR can't be used since pcscd tells the driver to use T=1 and the card does not support that protocol.

[r76] /trunk/SmartCardServices/src/PCSC/wintypes.h: remove the deprecated warning on LPTSTR and LPCTSTR since they are the documented types for Windows WinSCard API This will remove compilation warnings on cross OS applications

[r94]/trunk/SmartCardServices/src/PCSC/readerfactory.c: RFAwakeAllReaders(): restart all the slots of a reader, not just the first one, when the computer comes back from hibernation

[r98] /trunk/SmartCardServices/src/PCSC/atrhandler.c:
TRDecodeAtr(): check for TA2 (specific mode) even if TD2 is not present
"3F 80 10 01" was not parsed correctly for example and T=0 was used
instead of T=1 (specific mode)
Same patch as revision 4615 in upstream pcsc-lite
http://svn.debian.org/viewsvn/pcsclite?view=rev&revision=4615

The bugs were either Mac OS X specific or already fixed in pcsc-lite "upstream".

CCID driver

The CCID driver also has been updated. Snow Leopard provided the version 1.3.8 of my CCID driver. Lion now provides version 1.3.11. See the upstream README file for changes.
Version 1.3.11 was released on 28 July 2009 (2 years ago) and is not the latest version available (1.4.4 as of today).

Issues and limitations

i386 driver

The driver is (still) a i386 binary only. Even if Lion does not support 32-bits CPU any more the CCID driver is not available as a 64-bits binary.

Maybe Apple will "fix" this in a next 10.7.x update and before the Lion+1 version.

Gemalto Prox DU reader

The Gemalto Prox DU reader is a dual-CCID reader (the reader is composite with two CCID interfaces). Its support has been aded in the CCID driver version 1.3.11. So it is supported by default in Mac OS X Lion.

Apple version of pcsc-lite does not support such composite devices. So the CCID driver contains a trick to simulate a dual-slot reader instead. This is enabled using the ./configure --enable-composite-as-multislot option. Unfortunately Apple has not built the driver with this option (and I can't blame Apple for not using an obscure option). So only the first CCID interface is available.

In Snow Leopard the Gemalto Prox DU reader was not supported so a new driver had to be installed. If configured correctly both CCID interfaces are available.
In Lion the reader is supported by default but only the first CCID interface is available. Installing another driver compiled with the correct option will not solve the problem since the reader is already supported by the default CCID driver. pcscd will use the first driver it find supporting a given smart card reader.
A solution is to remove the Gemalto Prox DU from the list of supported readers from the CCID driver provided by default and install a new driver just for the Gemalto Prox DU driver. But I don't like modifying files provided by others (Apple in this case).

Conclusion

The good news is that Apple has updated the PC/SC layer provided in Mac OS X Lion (versus the one provided in Snow Leopard). The SmartCard Services project was a good idea since Apple reused the code from this project. Apple has then out-sourced the maintenance of pcsc-lite.